Authentication systems protect resources, such as documents and data, and accurately identify the creator of the resource. For example, a message (i.e., a written instrument or electronic document) created by an individual can be marked by a hand written signature, sealed by a physical seal, or protected by a password or a personal identification number (PIN) in order to identify the author of the message or control access to its contents. In some electronic or computer systems, the signature, PIN or password of the message creator is stored in a central memory or in storage media that is part of the computer system. When a user desires to read the protected message, the user enters the appropriate signature, password or PIN using an input device. The computer system compares the signature, password or PIN that is entered using the input device with the stored signature, password or PIN associated with the message to be accessed and determines whether to allow the message to be displayed or accessed.
Computer systems often contain valuable and/or sensitive information, control access to such information, or play an integral role in securing physical locations and assets. The security of information, assets and locations is only as good as the weakest link in the security chain, so it is important that computers reliably be able to distinguish authorized personnel from impostors. In the past, computer security has largely depended on secret passwords. Unfortunately, users often choose passwords that are easy to guess or that are simple enough to determine via exhaustive search or other means. When passwords of greater complexity are assigned, users may find them hard to remember, so may write them down, thus creating a new, different security vulnerability.
Various approaches have been tried to improve the security of computer systems. For example, in “have something, know something” schemes, a prospective user must know a password (or other secret code) and have (or prove possession of) a physical token such as a key or an identification card. Such schemes usually provide better authentication than passwords alone, but an authorized user can still permit an unauthorized user to use the system simply by giving the token and the secret code to the unauthorized user.
Other authentication systems rely on unique physical characteristics of users to identify authorized users. For example, fingerprints, voice patterns and retinal images have all been used with some success. However, these systems usually require special hardware to implement (e.g. fingerprint or retinal cameras; audio input facilities). Therefore, there is a need for an authentication method that uses unique physical characteristics of users without requiring special hardware.
One solution involves basing user authentication on measurements of users' keystroke timings using, for example, timing collection software that is installed on the computer system. However, any solution that relies on keyboard timings is subject to errors or inconsistencies that may be introduced by timing changes or variables anywhere between a user's fingers pressing the key and collection of the timing data by a computer and/or timing collection software.